Break Glass: How to Securely Administer Computers Using Jamf Pro LAPS
In this session, Mark Buffington and William Smith explain what LAPS is and why it is critical for device security. Also, Rob Potvin guides users through a demo of how to secure enterprise devices using LAPS and Jamf Pro.
What is LAPS?
First, Mark Buffington explains what LAPS isn’t. Namely, it’s not software nor is it a command line tool or standard protocol. LAPS, short for Local Administrator Password Solution, is better understood as a workflow that allows Jamf admins to “automatically store, rotate, and view the randomized password of a managed local administrator account.”
Why is LAPS critical to endpoint security?
Prior to LAPS, an age-old risk vector existed on devices with managed admin accounts used by IT staff to perform troubleshooting and execute administrative tasks. Historically, many of these accounts experience some or all of the following problems:
- Same password shared
- Multiple admins know the password
- No idea when the account is used
- Updating the password poses challenges
LAPS mitigates this risk, solving these challenges by:
- Creating unique passwords
- Stopping the sharing of passwords
- Auditing who uses the password
- Rotating passwords automatically
How Jamf Pro’s implementation of LAPS strengthens device security
During the presentation, William Smith explains another key benefit for IT and Security admins alike using Jamf Pro to implement LAPS: Preserving FileVault passwords. Most enterprise devices require volume encryption to be enabled for that added layer of data protection, however, when a FileVault (FV) user’s password is changed, typical workflows break that FV password, which could lead to a host of security- and productivity-related issues. Because Jamf Pro and LAPS rely on the Jamf Binary on the macOS device itself, FV passwords are preserved, keeping the managed administrator account’s ability to retain its secure token and unlock volumes encrypted with FileVault.